Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nkorea
Staff
Staff

Created on ‎09-06-2023 09:17 PM Edited on ‎09-08-2023 07:53 AM By Moderator

Article Id 272467

Technical Tip: Route directed Broadcast across IPSEC tunnel

Description

This article describes the procedure to permit directed broadcasts across the IPSEC tunnel.
Scope FortiGate.
Solution

The following diagram illustrates the scenario:

 

nkorea_0-1694030516237.png

 

Win3, located behind the Fortinet1 Firewall with the IP address 10.0.0.2, is attempting to establish communication with the directed broadcast address 12.0.0.255. This broadcast address is configured on Port3 of the Fortinet2 Firewall, which has an interface IP address of 12.0.0.1/24. The traffic is not being forwarded through Port3 and is instead being dropped, as illustrated below.

 

Fortinet2 Firewall Sniffer and Debugs as shown Below:

 

FGVM08TM22005240 # diagnose sniffer packet any 'host 12.0.0.255' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 12.0.0.255]

2023-09-06 08:33:31.883123 IPSEC1 in 10.0.0.2 -> 12.0.0.255: icmp: echo request

2023-09-06 08:33:36.486793 IPSEC1 in 10.0.0.2 -> 12.0.0.255: icmp: echo request

2023-09-06 08:33:41.490505 IPSEC1 in 10.0.0.2 -> 12.0.0.255: icmp: echo request

 

FGVM08TM22005240 # diagnose debug flow filter addr 12.0.0.255

FGVM08TM22005240 # diagnose debug flow  filter proto  1

FGVM08TM22005240 # diagnose debug flow trace start 100

FGVM08TM22005240 # diagnose debug enable

 

FGVM08TM22005240 # id=65308 trace_id=1 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:1->12.0.0.255:2048) tun_id=11.0.0.1 from IPSE

C1. type=8, code=0, id=1, seq=1422."

id=65308 trace_id=1 func=init_ip_session_common line=6121 msg="allocate a new session-00000255, tun_id=11.0.0.1"

id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=90000000 gw-0.0.0.0 via root"

id=65308 trace_id=1 func=fw_local_in_handler line=545 msg="iprope_in_check() check failed on policy 0, drop"

id=65308 trace_id=2 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:1->12.0.0.255:2048) tun_id=11.0.0.1 from IPSEC1. type=8, code=0,

 id=1, seq=1423."

 

Solution:

'Broadcast-forward' should be enabled on the IPSEC interfaces:

 

Fortinet1:

 

FGVM08TM22005241 (IPSEC) # show

config system interface

    edit "IPSEC"

        set vdom "root"

        set broadcast-forward enable

        set type tunnel

        set snmp-index 9

        set interface "port2"

    next

end  

 

Fortinet2:

 

config system interface

    edit "IPSEC1"

        set vdom "root"

        set broadcast-forward enable

        set type tunnel

        set snmp-index 9

        set interface "port2"

    next

end

 

Fortinet2 Sniffers and Debugs as shown below:

 

FGVM08TM22005240 # diagnose sniffer packet any 'host 12.0.0.255' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 12.0.0.255]

2023-09-06 08:41:39.933551 IPSEC1 in 10.0.0.2 -> 12.0.0.255: icmp: echo request

2023-09-06 08:41:39.934089 port3 out 10.0.0.2 -> 12.0.0.255: icmp: echo request

2023-09-06 08:41:44.490902 IPSEC1 in 10.0.0.2 -> 12.0.0.255: icmp: echo request

2023-09-06 08:41:44.490921 port3 out 10.0.0.2 -> 12.0.0.255: icmp: echo request

2023-09-06 08:41:49.494300 IPSEC1 in 10.0.0.2 -> 12.0.0.255: icmp: echo request

2023-09-06 08:41:49.494319 port3 out 10.0.0.2 -> 12.0.0.255: icmp: echo request

 

FGVM08TM22005240 # diagnose debug flow  filter addr 12.0.0.255

FGVM08TM22005240 # diagnose debug flow  filter proto  1

FGVM08TM22005240 # diagnose debug console timestamp enable

FGVM08TM22005240 # diagnose debug flow trace start 100

FGVM08TM22005240 # diagnose debug enable

 

FGVM08TM22005240 # 2023-09-06 08:45:01 id=65308 trace_id=10 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:1->12.0.0.255:2048) tun_id=11.0.0.1 from IPSEC1. type=8, code=0, id=1, seq=1447."

2023-09-06 08:45:01 id=65308 trace_id=10 func=init_ip_session_common line=6121 msg="allocate a new session-000004ab, tun_id=11.0.0.1"

2023-09-06 08:45:01 id=65308 trace_id=10 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"

2023-09-06 08:45:01 id=65308 trace_id=10 func=__iprope_tree_check line=531 msg="gnum-100004, use addr/intf hash, len=2"

2023-09-06 08:45:01 id=65308 trace_id=10 func=fw_forward_handler line=930 msg="Allowed by Policy-2:"

2023-09-06 08:45:01 id=65308 trace_id=10 func=ip_session_confirm_final line=3189 msg="npu_state=0x100, hook=4"

 

Related article:

Technical Tip: Broadcast traffic over site-to-site IPsec VPN
506
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.